Why do we need cybersecurity awareness training? To me, having put together our Cybersecurity Radar Report, the answer is simple: given that it is impossible to prevent all attacks automatically, we need to make humans part of our firewall. Awareness training enables the mitigation of human risk when sitting in front of a computer.
From my perspective, cybersecurity training is not new, but it is still hugely needed. Statistics show that 90% of the time, the cause of a breach was not because of a weakness in the technology, but from human error. The majority of the time it was a human factor.
In terms of target groups, we can consider first Cybersecurity Professionals, who have to certify the systems in cybersecurity programs, or conduct audits. Then, the larger population, which is you, me and everybody who sits in front of a computer and that connects to the Internet. Professional security training tends to involve more formal courses and structured lists of topics, but organizations tell us how even with this in place, they are still being subjected to attacks.
This need is driving new forms of blended training into the market. The content may be the same, but the delivery methodology and format are different. Today, it is more based on psychological concepts, looking to change the behavior of people and make it instinctive while they are working.
Security awareness training can still be included in the formal training you get when you join an organization. In addition, it can work alongside you. If you commit a security error, a product can capture that on the spot and send you a ‘just in time’ training, to grab your attention, a reminder ‘you should not do this’ etc. This will not simply be a reaction from software that blocks you, but a 3 or 5 minute training capsule. Once you have completed that, the system continues to monitor your behavior and whenever it’s required, can repeat the training to push you on that area, so you build the right reflexes.
The goal is not perfection. For example, consider when a busy end-user receives a call. It could sound like it is from an engineering company, where it is actually somebody trying to trick them. The idea behind awareness training is not to reach 100% success in such phishing attacks, but to change everyone’s reflexes. If I see an email with a link, my reflex should be to not click on the link. There’s a big difference between 70% success vs 30%.
To deliver on this, vendors need to offer organizations the most appropriate way to deliver awareness content so it fits human psychology, when people are in front of a computer. In addition, it requires a comprehensive library in terms of topics. This goes beyond phishing, for example if I plug in a USB that I have found in the street, that creates another attack vector.
Finally, for cybersecurity awareness to be successful, you have to get the buy-in of the corporate world. You have to get people involved, and keep them motivated. If a user has had formal training and doesn’t want to cooperate further, that’s a much bigger problem!